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Background of the Invention 

5 Field of the Invention 

The mvention relates to a system and method of using a biometric sensor to 
provide secure access to an Internet site. More particularly, the invention relates to a 
method of providing secure Internet transactions using biometric data. 
Description of the Related Art 

10 A commonly available means for identifying computer users is the use of 

passv^ords. More recently, biometric mechanisms such as fingerprint sensors are 
available that allow for extremely reliable identification of users. However, few 
compelling applications have been proposed for the use of such devices m network 
enviroimients. Existing examples of such applications include: OS logon, client/file 

1 5 encryption, and access to Intemet/WEB sites. 

Cryptography generally relies on the user possessing and keeping secret a 
cryptographic key. Such a key may be used to digitally sign or encrypt a document. 
Previously this secrecy has been implemented by having the user keep the key in the 
user's physical possession. Such possession has typically taken the form of keeping the 

20 key on the hard disk of the user's computer or more securely on a "Smart" or "Chip" 
card. Such means of maintaining secrecy has a number of weaknesses. In particular, a 
hard disk is typically an insecure environment in which the key may be fraudulently 
copied. Even Smart cards are typically protected only by a four-digit pin. More 
generally, giving responsibility to the user for protecting the most critical part of the 

25 system, is not an intuitively secure solution. 

Summary of the Invention 
One aspect of the invention relates to an alternative scheme that does not rely on 
the user's ability to protect the secret key in any way. In this scheme the private key is 
stored within an ultra secure server (USS) and associated with a biometric template 

30 unique to the owner of the private key. The USS is configured to meet the foUowmg 
requirements: 



1 . Under absolutely no conditions may the private key leave the USS. 

2. The private key must only be accessed upon presentation of an incoming 
biometric template that matches the stored template. 

3. Upon matching, the private key may be only used to enable a limited set 
of standard cryptographic operations such as digital signatures and encryption. 

Another aspect of the invention involves a secure (WEB) site that includes a 
secure server and the USS which is associated with tiie secure server. The secure site is 
maintained by a service provider which allows each registered and enrolled user to 
access a user-specific site that provides links to user-selected Litemet services. 

Brief Description of the Drawings 

Figure 1 shows a fu^t embodiment of a communications system. 

Figure 2 shows a second embodiment of a communications system. 
Detailed Description of the Preferred Embodiment 

Figure 1 shows an overview of a communications system in which several 
computers (PC) and one or more online vendors OV have access to the Internet A 
biometric (fingerprint) sensor is connected to each computer and each computer is 
assigned to a user Ul, U2. The system includes further a secure site which can be 
accessed by the users Ul, U2 and the online vendors OV. 

The computers provide for hardware or software encryption of the users' 
fingerprints. In one embodiment, a WEB browser provides for tiie encryption and 
conununication occurs via a conventional Internet protocol IP. 

The secure site is formed by a secure server SS in combination witii an ultra 
secure server USS. The USS includes a biometric match processor, an encryption 
processor, and a secure memory. The secure memory comprises pairs of biometric 
templates and private keys. The USS communicates witii the SS via a SCSI bus. In one 
embodiment the secure memory may be a large bank of smart cards each containing the 
biometric template, private key and a cryptographic engine. In such a configuration, 
neither the biometric or secret key would need to leave the confines of the smart card. 

During an enrollment procedure, the fingerprint (template) of a new user is 
obtained and stored in the secure memory. This fingerprint template is tiien available in 
the secure site to allow the new user subsequent access to the secure site. 



The security of the transmission of the biometric template is protected. Two 
means are listed as follows: 

1 . At the point of acquisition of the biometric template (e.g., the Biometric 
sensor) the template is encrypted with the public key of the secure server. This insures 
that only the secure server that is in possession of the matching private key may encrypt 
the template. 

2. At the point of acquisition of the biometric template (e.g., the Biometric 
sensor) the template is encrypted with the public key of the user. This insures that the 
template may only be decrypted given access to the users private key, which is stored at 
the secure server SS. This scheme insures that even if the server's private key is 
compromised, the biometric templates will remain secure. 

The invention involves several applications for the secured site. Such 
applications include, for example, providing secure email or documents, secure Web 
pages, secure (Internet) chat, trusted e-commerce portals, and public key-pak 
generation. The invention mvolves three inter-related concepts: the use of a "Secure 
Hot Key," a trusted community and a trusted e-commerce portal. 

The Secure Hot Key activity takes place when a biometric sensor is attached to a 
network access device such as PC, PDA or Cellular phone. User activation of the 
device, such as (a user touching fingerprint sensors) initiates the following sequence. 

1 . The user's identity is verified by matching the new biometric sample to a 
previously stored sample held on the client or dedicated network server. 

2, Once identified, the server provides the user access to a secure set of 
services. Such access may for example be provided as a WEB page provided by the 
server that includes Web links that represent such services. 

Trusted Community: 

Given the existence of the above-described "secure hot key," identity of users 
accessing the server can be determined with a high degree of certainty. Creation of such 
a "Trusted Community" enables the provisions of a number of unique services for 
members of the community. The services include (with reference to Figure 1): 



Secure and trusted Email or document: 

All senders and receivers of email have absolute confidence that the sender of an 
email or recipient of an email are of unambiguous identity. 

(1) Ul creates a document on the secured server SS and adds a digital signature 
to the created document using the fingerprint sensor and the ultra secure 
server USS. 

(2) U2 receives the signed document in his account on the SS. 

(3) U2 uses his fingerprint and the USS to 

(a) decrypt the received document with his private key 

(b) create a digitally signed receipt that is returned to Ul for tracking. 
That is Ul can monitor if U2 receives and opens the document. 

(4) Note: Either Ul or U2 may be part of the network. For example, if U2 is not 
part of the network both Ul and U2 can send and receive documents, 
however, the guaranteed tracking fimction will not work. 

Secure Web pages, trusted Web: 

For instance for medical documents and e-commerce services. 

(1) Ul creates a Web page and signs it with a digital signature using the 
biometric sensor and the USS. 

(2) U2 views the Web page and uses the USS to decrypt the page and digitally 
sign a receipt that is sent to Ul . 

Secure and trusted chat: 

For instance for doctor/patient discussions. 

(1) Ul creates a line of text and uses the USS to encrypt and sign the line of text. 

(2) U2 uses the USS to decrypt the line of text and creates a receipt for Ul . 

Trusted E-Commerce Portal 

In addition to services outlined above that involve peer to peer interactions 
within the community additional user services can be created as the community 
communicates with external entities such as other WEB sites. The general purpose of 



such communications is expected to be the provision of electronic commerce services to 
members of the community. 

(1) Ul is authenticated usmg the USS. 

(2) The SS contacts the online vendor OV and assures the OV as to Ul's 
identity. 

(3) The SS may generate a session key and distribute it to Ul and OV so that 
they may have a secure transaction* 

Public kev-pair generation: 

(1) Pairs of private and public keys can be created inside the USS. 

(2) The private key is stored in the secure memory. 

(3) The public key is put mto a digital certificate data structure and is published. 
However, an annotation is made in the certificate to the effect that the 
corresponding private key is biometiically protected. This permits the 
receiver of a signed document to verify the biometric signing. 

With reference to Figure 2, the trusted conmiunity can be used as a "trusted 
firewall" between the user and the merchant. Because the community has reliable 
information as to the user's identity, it can extract certain user properties such as the 
user's ability to pay and carry these properties to the merchant. In this situation, after 
the user has selected items for purchase at the merchant's WEB site, the community can 
clear payment for goods and services without ever revealmg the identity of the user. 
This arrangement benefits both the user whose privacy is preserved and the merchant 
who is assured payment. Note that, whereas, the link between user and community is 
made using biometric identification means, the Imks between the conmiunity and 
merchants may use standard cryptographic techniques as the later links are between 
secure computer servers not individuals. In this mode, the community as acting as the 
trusted portal between the user and the merchants. 

Payment methods include at least two novel mechanisms for clearing payments 
fi-om the community to a merchant using the existing credit card infrastructure. 



1. At the time of payment the portal generates a one-time use credit card 
number and informs the credit card company of this number and the expected amount of 
the transaction. The portal then provides this number of the merchant who uses normal 
credit card validation techniques to ensure payment to the merchant. 

2. Credit card companies issue card members with a card whose members 
with a card whose number is not valid for normal Internet transactions. That is to say, 
when this card number is provided directly to an Intemet merchant, any attempted 
clearance of the transactions will fail The only exception to this failure, occurs if the 
merchant notifies the card company during the verification process that the number was 
received over a luik from the trusted portal. This arrangement allows credit card holders 
to shop using their card in non-Internet environments as usual but protects agamst theft 
of that number and subsequent fraudulent use on the Intemet 



WHAT IS CLAIMED IS : 

1 . An apparatus for a secure network site, comprising 

a first processor configured to match a biometric data of a present user 
with stored biometric data of registered users; 

a memory associated with the first processor, the memory storing at least 
one of a private key and biometric data of a registered user; and 

a second processor associated with the memory and the first processor 
and configured to encrypt data. 
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